The affected system, P&N says in the notice, stored a great deal of personally identifiable information (PII), as well as other sensitive data, including names, addresses, email addresses, phone numbers, customer numbers, age, account numbers and balance, and other details, which the bank refers to as non-sensitive.

“Upon becoming aware of the attack, we immediately shut down the source of the vulnerability,” P&N reveals.

The bank also says that, because its core banking system is completely isolated from the impacted system, the data breach did not cause the loss of customer funds, that credit card details were not accessed, and that banking passwords were not exposed.

P&N told customers it has already informed authorities on the incident. The bank says it has been working with West Australian Police Force (WAPOL), the involved hosting provider, expert advisers, and regulators on investigating the breach.

The bank has yet to provide information on the type of attack it fell victim to and the number of affected customers. We reached out to P&N via email and will update the article as soon as we receive a reply.

“The cyber incident at P&N Bank illustrates how organizations can be susceptible to data breaches through their third parties. In this case, the bank was performing a server upgrade when attackers stole data through a hosting provider,” Elad Shapira, Head of Research for Panorays, told SecurityWeek in an emailed comment.

“Cyber-attacks such as this one, demonstrate why it’s not enough for organizations to assess their own systems; they must also assess the risk posed by connecting with third parties,” Shapira continued.